\section{Related Work}
\label{relatedwork}

Many pervious works have focused on enabling developers to specify data
flow assertions. Allowing the developer to better express \emph{how} data 
should flow in application has long been a research topic, and we make
no novel claims in the area. However, one work in particular influenced the
work in AnnoFlow. Additionally, we reference several papers that discuss
the issue of privacy in the cloud.

\subsection{Data-flow assertions}

One work that is very closely related to AnnoFlow is called RESIN \cite{RESIN}. 
RESIN is a PHP security assertion system, a system was proposed for asserting 
the security of data from the source to it's use.  They proposed the use of 
filter objects and policy objects.  In RESIN, policy objects wrap data such as 
passwords and social security numbers and create policies that determine where 
the data can flow.  Filter objects sit between the data objects and unsafe zones 
of the program.  The policy objects are carried with the objects as they are 
concatenated with other objects and the data is diffused.  Then, depending on 
the policy object's configuration, the original policy will apply to part of 
the data as it flows through the program. 

We modeled the data flow assertions in AnnoFlow after RESIN, with three key 
differences. First, we opted to use a more declarative framework for policies 
and filters. We believe this eases the burden on developers. Though they must 
still manually place annotations, it is much less of a burden than programmatically 
adding policies and filters. Second, we enabled an auditing framework for 
developers to be able to retrieve relevant information. And third, we integrated
our work into a platform as a service offering.

The authors of the JIF, JAVA information flow, framework at cornell present a
solution similar to RESIN into the JAVA language.  In the JIF framework, the standard JAVA
syntax has been modified to add assertions about where data can flow within a program.
While the JIF project has made large contributions to the area of information flow
tracking\cite{Chong:2007}, we feel that their syntax is beyond the reach of most developers.  Their
dataflow assertions were;however, taken into account when our filter annotations
were designed.

\subsection{Security in the cloud}

In the paper ``Taking Account of Privacy when Designing Cloud Computing Services'' \cite{TakingAccount} 
the authors identify some of the main points where privacy in the cloud break down.  
They note the importance of protecting data such as personally identifiable 
information about a specific user of the system, any usage data collected about 
users, and unique device identifiers.  Cloud systems should also protect information 
that could be private to non users (surveillance tapes).  They also point out that 
sensitive information about religion, race, health, or other information considered 
private should be protected.  They also provide some default policies that a cloud 
provider should adhere to. While this paper provided important insights into
the legal side of enabling privacy in the cloud, it does not offer a specific
implementation.

The paper ``Privacy in Distributed Electronic Commerce''\cite{PrivacyDSL}, a system 
is described for protecting user data in distributed systems.  In particular, they 
describe a framework that provides privacy in two ways.  First, an explicit set of 
policies presented to the user and a logging framework for accountability.  They 
describe that keeping accounting data on where personal information has been 
transferred to is important in stopping potential data leaks.  This research was 
focused on distributed e-commerce applications on private cloud ``like'' systems.  
Their future work points towards creating an e-commerce system for open network 
distributed systems or cloud computing. This work inspired AnnoFlow in that it
establishes a set of boundaries and policies in a distributed system. However,
we took the lessons learned in that paper and applied them to the cloud by
integrating AnnoFlow into an actual platform as a service offering.

Experts disagree on whether or not security can truly be treated as a completely 
separate concern. The paper ``On the importance of the separation-of-concerns 
principle in secure software engineering'' \cite{SecuritySoC} addresses this argument 
by highlighting when security is best separated, and when it cannot be. They believe 
that separation of concerns with regards to security is important because not all 
developers have in-depth security knowledge. Thus, being able to address cross-cutting 
concerns such as authorization in a separate way has its advantages. In addition, 
they claim that by separating security as a concern, the software becomes more 
amenable to evolution because they believe it is more adaptable. This adaptability, 
however, is a double-edged sword as they note that it may be exploited if it leads 
to unintended consequences.

In a paper published in IPDPS 2009, the authors discuss the use of autonomic managers in a hierarchical model to implement non-functional concerns in parallel applications.  Specifically, they propose that these non-functional concerns should be split into different parallel tasks and the autonomic managers should be capable of functioning in active and passive modes of operations.  When splitting the non-functional concerns, each task should receive non-functional concerns that directly relate to their computation.  As computation continues, they will actively attempt to fulfill the contract.  If the tasks are unable to meet the contract requirements, they enter a passive mode where information is being collected about functional activities are occurring.  In this passive mode the autonomic managers do not make any further policy decisions.  After entering passive mode, the autonomic manager sends a message to their parent that they are unable to meet the contract.  The parent then reacts to and creates a new contract for the task.  Thus each task has a subset of contractual obligations and a master manager is responsible for creating service level agreements dynamically.  In future work, they plan on implementing a security framework using the framework discussed in the paper.\cite{AutonomicManagement}

In the paper Cloud Security is Not (Just) Virtualization Security by IBM research, the authors present the idea of taking Cloud Security one step further and securing the operating systems running within virtual machines. They discuss a two part approach that first identifies the guest OS and then provides validation of the code executing within.  Specifically their solution creates a whitelist and blacklist of code running within the guest OS.  When a rootkit or other virus infects the OS, their algorithm will detect the abnormal code and potentially restore system files to their original state.  In future work, the team is trying to develop a type of antivirus that would run within the guest OS and be protected by the surrounding virtual machine.\cite{NotJustVirt}

Published in ASEE SE conference, the paper ``An Infrastructure for Teaching CS1 in the Cloud'' provides a detailed look at the development of a cloud platform for computer science students to learn programming skills.  The authors present a situation where the platform must create its own security rules outside of the operating system or servlet container to control JAVA classes uploaded by users.  In their scheme, the authors use byte code rewriting to identify vulnerable method calls within student code and replace them with safe ones.  Their future work is moving towards better defining the environment that students work in by reworking the interfaces for the persistent store and creating a security mechanisms for students to use.\cite{CloudSpace}

In the paper titled Data Security in the World of Cloud Computing, the authors talk about the importance of trusted computing in the cloud computing model.  Specifically saying that cloud providers must explicitly protect the data stored within the cloud.  The note that clouds that lack protection will become high priority targets.  Suddenly other applications in that cloud will also be targeted.  They note the importance of adhering to local laws about privacy protection.\cite{DataSecurity}

In the 2009 International Conference on Cloud Computing, the authors of a paper titled ``On Technical Security Issues in Cloud Computing'' investigated the major security issues plaguing Cloud Service providers.  In the first section, the paper talked about attacks on SaaS cloud computing.  These attacks generally originate due to shortcomings in the client's browser.  As the authors noted, browsers are generally not able to properly secure the AJAX requests used to power thin web applications running on client machines.  In PaaS cloud computing, there are insecurities with the bound functions.  For example, if a user performs action ``X'' it could be modified to actually call a different restricted function.  The final attack the paper presented was an attack on IaaS.  They described an indirect and direct attack on cloud infrastructure.  In a direct attack, the attacker generates additional computation on the hosted application.  More interestingly, in an indirect attack the attacker generates traffic on a machine that will impact the performance of a different web application.  In their future work, they plan to harden the foundations of cloud computing using the guidelines discussed in the paper.\cite{TechnicalSecurity}

In the book, Computer Communications and Networks, a chapter was dedicated to the emerging security issues present in cloud computing environments.  The book chapter focuses on the privacy of the data stored in the cloud.  They specifically cited the data retention and ownership rules.  These rules, they say, are very important for transparency of cloud operators and gaining the trust of users.  They note that it is important for cloud operators to carefully provide these rules to their users.\cite{CloudBook}

In a paper called ``Turning Down the LAMP'' \cite{TurnDownTheLAMP}, Madhavapeddy et. al. describe a new type of platform-as-a-service (PaaS) offering. While traditional cloud offerings offer a traditional LAMP-like software stack on which user code runs. For instance, Google's AppEngine uses Java servlets. The conventional software stack model offers a familiar abstraction, but suffers from poor performance. As with any problem in computer science, they remove layers of abstraction to increase performance. In their cloud environment, a kernel called Mirage sits directly on top of a hypervisor. Developers write code directly on top of this kernel in the OCaml language. The main benefits they claim relate to improved performance. However, they also claim that because of the type-checking of OCaml and the fact that they can very easily validate an application's configuration, Mirage offers security benefits.

The paper ``Service Oriented Computing State of the Art Research Challenges'' focuses on the future work in the area of service oriented architectures.  They cite the the need for end-to-end security solutions, QoS-aware service compositions, self protecting management services, and new engineering methodology.  These challenges show that work is needed to create a hierarchical security system for the unique challenges in service oriented environments.\cite{ServiceOrientedComputing}

In the paper published by Microsoft about web application security, they propose a more active role on the client's part for securing web application communication.  They note the vulnerabilities in the client's parsing of script code without any security checks present within the browser.  Microsoft Research proposes the use of mutation event transforms to monitor all of the scripting activity on the browser page.  These MET rules would be sent to the client from the server and could be custom tailored to the site being rendered.\cite{EndToEnd}

\subsection{Security as a separate concern}

In a paper called ``Applying Aspect-Oriented Programming to Security", Viega et. al. explore the concept of aspect-oriented programming as it relates to security. In the C programming language, certain functions are known to be unsafe. For instance, \texttt{rand()} has been known to produce predictable numbers. Additionally \texttt{gets()} has been known to lead to buffer overflow vulnerabilities. They develop an aspect definition language for defining pointcuts and advices in C programs that can intercept these unsafe method calls and replace them with secure ones. \cite{ApplyingAOPToSecurity}

The Open Web Application Security Project (owasp.org) identifies cross-site scripting (XSS) and SQL injection (SQLI) attacks as two of the most prominent threats facing web applications today. In their paper \cite{AProSec} Hermosillo et. al. introduce a security aspect called AProSec to help prevent against these attacks. They recognize that XSS attacks generally result from unsafe displaying of tainted data, and insert pointcuts at general methods that output to the end user. They then run sanitizing functions on the data. Similarly for SQLI attacks, they sanitize all SQL queries before they are written to a database. Using both AspectJ and JBoss AOP, they show that their approach can work across multiple aspect languages to successfully mitigate attacks.

In the paper ``Enterprise Security Aspects'' Bodkin looks at how aspect-oriented software design (AOSD) techniques can best be applied to enterprise security. Specifically he looks at the problems of authentication and authorization. For authentication, they consider three important dimensions: identifying when a request is received, when to require authentication, and how to force authentication. Because many enterprises use higher level framework like Servlets or Struts, identifying when a request is received becomes simply matching the semantics of the framework. As for when to require authentication, they say that it can either be required before, during, or after request processing. They favor requiring authentication before any processing has occurred. As for how to force authentication, they identify naming patterns, enumerations, and marker interfaces as potential solutions. However, they claim that annotations are promising for their declarative nature. Once a user is authenticated, they 
must be authorized for data. The paper highlights functional authorization, data access authorization, and UI element authorization as separate aspects for authorization. While the paper does not offer any new aspects for helping authentication and authorization, their discussion provides a useful ontology for other aspect authors. \cite{EnterpriseSecurityAspects}

In their paper ``AOSD and Security: A practical assessment'' De Win et. al. describe a case study of providing security measures for an existing application. Specifically, they modularized the access control and auditing concerns for an FTP server. They outline the remodularization of the code that they performed, as well as outlined four new aspects they introduced. They identified some major obstacles in applying the aspects. The major issue with applying the aspects was that the original source was not written in AOSD style, thus not much modularity in security logic. Introducing security via aspects, therefore, required some extra work on their part. \cite{AOSDSecurity}

In the paper ``Security Crosscutting Concerns and AspectJ", the authors talk about the shortcomings of the AspectJ framework.  In particular, they talked about the lack of data flow crosscutting.  This means cross cutting security into data operations depending on the source of the data.  This is particularly applicable to cloud computing because one of the missing security features is controlling the destination of data.\cite{AspectJ}

The authors of ``Disambiguating Aspect-Oriented Security Policies'' claim that the greatest weakness of Aspect oriented security policies are the non-deterministic nature of the pointcuts.  These pointcuts are designed to work with a variety of systems.  They instead propose a system that removes non-determinism and notifies the user of non-deterministic rules.  This paper is particularly useful because it helps developers correctly use aspects for security purposes.  This methodology should also be used for educating developers about cloud development.\cite{Disambig}

In their paper \cite{WebDSLSoC}, Groenewegen and Visser discuss adding access control semantics to the WebDSL language. WebDSL is a domain-specific language for web application development. Access control is a very important topic in modern web application development. Traditionally languages like XACML offer developers an abstraction for defining access control policy. However, all access checks must be explicitly transferred to a policy engine, making access control somewhat inflexible. In the paper, they present an extension to the WebDSL language that allows for programmers to define access control rules for their application. The extension is flexible to allow developers to define roles and groups for access control and perform checks on pages and data.

\subsection{Moving security services to the Cloud}

In the paper ``CloudAV: N-Version Antivirus in the Network Cloud", Oberheide et. al. propose a cloud-based antivirus for desktops. Traditional antivirus systems sit on the device they are meant to protect, scanning for malware. However, there are two major problems with traditional antivirus: out-of-date malware definitions and insufficient compute capability. By turning antivirus into a software-as-a-service, they hope to ensure that both of these problems are mitigated. They can provide up-to-date malware definitions as they become available, and can scale necessary antivirus operations. Additionally, one can imagine a sort of ``learning engine'' being implemented, whereby the antivirus service can draw from many different sources to learn new forms of malware on-the-fly. \cite{CloudAV}

In the paper ``Virtualized In-Cloud Security Services for Mobile Devices", a scheme to protect data on mobile devices using cloud computing is proposed.  In their model, they create a thin client on the mobile device to secure operations and require the device to send all unauthenticated files to the cloud to be inspected.  They were able to show that this system was able to identify more threats using less resources then existing antivirus software that executes on the mobile device.  In future work, the researchers encourage others to use this framework because of how well it will scale.\cite{VirtualizedMobile}

The paper ``Authentication in the Clouds'' by Jakobsson et. al. proposes a new form of authentication for mobile devices. An important task for mobile devices is ensuring that the user is actually who they claim to be. Typing in passwords on mobile devices has worked to mixed results. The paper builds off the idea of implicit authentication, monitoring a user's behavior and data to make judgments on whether the user is authentic or not. They outline a framework by which a cloud authentication service can learn a user's data access patterns to determine how best to implicitly authentication him or her. They present a use case whereby they detect a stolen mobile device. \cite{AuthenticationInTheClouds}

When web applications send code and data to clients (for example, AJAX) they cannot be certain that the client is not changing them to do something malicious. Thus, the paper ``Ripley: Automatically Securing Web 2.0 Applications Through Replicated Execution'' proposes a technique for protecting against this. They propose a dual-deployment of the code that is distributed. One copy goes to the client while another goes to a trusted cloud-based server. They employ the idea of sandboxing, whereby all inputs/results from the user are also run in the sandboxed copy. The output of the two are compared, and if they differ, a discrepancy is flagged. The idea of replicating execution is not new, but they are leveraging cloud computing to achieve it. \cite{Ripley}

One popular trend for application security is the rise of analysis tools. These tools analyze the source code of a program to detect known vulnerabilities in the software. For large code bases, these tools can often run for hours and utilize a lot of compute power. By offloading these tools to the cloud, one can envision being able to do a more thorough analysis of the code faster. The paper ``Open Source Verification under a Cloud'' presents a solution. They demonstrate how standard verification tools can be distributed in the cloud. Though the paper represents only a first step in the direction, future work could possible port popular security tools to the cloud. Some commercial providers of these tools already have some cloud-based capabilities. \cite{OpenSourceVerification}
